I have a small web application designed for a small business where the users are only 2 but with different user privilege.
My idea is after the user logged in using the default user and password he will be redirected to a page where he will be updating his password and username. If the user will not update it then it will not be able to navigate through admin dashboard.

Add a field in the user table called last_login, where you store a timestamp every time a user logs in. Since a new user needs to update their password on first login, this is how you can check that. After the password change, set the timestamp. Anytime you want a user to change their password, delete the timestamp.